Yesterday, Microsoft posted a new security bulletin in regards to a new vulnerability affecting the Microsoft Video ActiveX Control.

The Microsoft Video Control object is a Microsoft ActiveX control that connects Microsoft DirectShow filters for use in capturing, recording, and playing video. It is the main component that Microsoft Windows Media Center uses to build filter graphs for recording and playing television video.

Microsoft warns that if a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.

The affected operating systems are as follows:

Windows XP Service Pack 2 (SP) and Windows XP SP3

Windows XP X64 Edition SP2

Windows Server 2003 SP2

Windows Server 2003 X64 Edition SP2

Windows Server 2003 SP2 for Itanium-based Systems

Microsoft says customers may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the Workaround section or automatically using the solution found in Microsoft Knowledge Base Article 972890. By preventing the Microsoft Video ActiveX Control from running in Internet Explorer, there is no impact to application compatibility.